The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 24

Tuesday 9 November 1993

Contents

o Smart Houses? No Thanks!
Jim Brown
o Ada, a standard no more?
Luis Fernandes
o Pets & data communication
Bruce Clement
o Orange County DACS outage
Matt Holdrege
o Review of Bruce Sterling's Hacker Crackdown
Peter B Ladkin
o Alvin and Heidi Toffler's War and Anti-War
Jeffrey D. Young
o Re: Car owners confused with gun owners
Martin Minow
o Software control problems in Block 40 F-16s
Peter B Ladkin
o Investment program turns into doomsday machine
Rogier Wolff
o Re: Notice of Fire Hazard with Dell Notebook Computers
Don Porges
o Internet Security
William Hugh Murray
o Stupid language games
Richard Schroeppel
o Networking on the Network
Richard Schroeppel
o Anonymous postings
anonymous? No
Daniel Lieber
o Properties of Anonymizing Service
Anthony E. Siegman
o Risk-happy drivers foil anti-lock brakes
Dyane Bruce
o Info on RISKS (comp.risks)

Smart Houses? No Thanks!

Jim Brown <jbrown@umi.com>
Tue, 9 Nov 1993 14:04:18
While listening to a recent Marketplace Radio spot on Smart Houses I became,
at first amused, then alarmed, by what is now possible with smart houses. ( A
smart house has an electronic control center that can be operated locally or
remotely.)  Access to the smart house control center is though an ID/PIN
setup.

The amusing features (to me anyway) are having the 'house voice' reply to
simple questions.

Alarming features were setting lighting, temperature, and other security
features - even remotely over the phone!  I can't think of something more
intimidating that having some hacker/cracker take control of the electronic
controls of my house!

What are these designers thinking who make these houses?  Do they assume that
an ID/PID setup is secure enough?  And why on earth do they allow remote
access via telephone- a very non-secure medium?

No smart house for me.

Jim Brown, 300 N. Zeeb Rd. Ann Arbor, MI 48106 (USA)   (313) 761-4700 x3227
jbrown@umi.com


Ada, a standard no more?

luis fernandes <elf@ee.ryerson.ca>
Sun, 7 Nov 93 11:54:33 EST
>From the October 11, 1993 issue of "Aviation Week & Space Technology":

    The use of Ada as the standard Defense Dept. computer language
    should be rethought, the head of the Air Force Electronic System
    Center told an audience recently. "The Defence Department lost power
    years ago on computer development, but some don't realize it", Lt.
    General Gordon E. Fornell told the Society of Experimental Test
    Pilots. Instead of insisting on Ada, the best software for the
    task would be used-- and that software should be commercially
    available. "There are great dollar values out there", Fornell
    said. "It's obviously time for a little rethinking about Ada, and
    it's getting to the 'just do it' point".


Pets & data communication

Bruce Clement <frey@alfheim.actrix.gen.nz>
Mon Nov 08 16:32:24 1993
This happened tonight while I was reading RISKS.

I noticed that the lights on my modem were behaving strangely & switched the
uucico program to the foreground. It was reporting a string of "NO DIALTONE"
responses.

Picking up the study's phone, I found it to be dead.
The extension in the lounge was also dead.

In a corner of the bedroom, I have the basestation for my Panasonic cordless
phone (which can also act as a speaker phone) which was off hook, and
presumably had been off hook long enough for the exchange to "notice".

As I had used the study's phone since arriving home, how this extension
could be "off hook" was a mystery, which was not solved until I walked over
to it & discovered /dev/pet (my rat) hiding behind the phone.

Why is the on/off button on a phone sufficiently sensitive to be tripped by
310 gramme rat walking over it?

Oh, yes, what's the risk? If I hadn't diagnosed the problem, UseNet wouldn't
have been able to get to the computer, and as I wouldn't have been able to
phone for pizza, the rat would have had to eat lab block again :-)

Bruce Clement    (frey@alfheim.actrix.gen.nz)


Orange County DACS outage

Urban Surfer <HOLDREGE@DCV4KD.PHS.COM>
Tue, 09 Nov 1993 14:38:41 -0800 (PST)
About 6 weeks ago, I posted in the Telecom Digest an account of the DACS
outage in Orange County, CA. I received several queries for more information.
It seems that a lot of people were disturbed to learn about the potential
points of failure on a DACS as well as the bug we experienced.

I recently took a tour of the affected CO and met with the switch and DACS
administrators to ask further questions. At this point, they believe that they
have fully addressed all software & procedural issues with the DACS IV. They
also stated that the software patches they applied have been propagated
throughout the entire Bell network.

Pac Bell, as required by law, filed a report of the outage to the FCC. This is
a public document. I'm not sure what the normal method is for obtaining that
document, but I know there is one. For those who need to know now, I received
a copy by fax, retyped it put it up for anonymous FTP on DCV4KD.PHS.COM under
DACS.OUTAGE.

Matt Holdrege          matt@phs.com        MH235


Interesting book review --- Bruce Sterling's Hacker Crackdown

Dr Peter B Ladkin <pbl@compsci.stirling.ac.uk>
9 Nov 93 00:03:13 GMT (Tue)
The adjective may be chosen to modify either. Ian Stewart is a mathematician
who writes wonderfully well, as readers may see by looking at his review, in
the London Review of Books 15 (21) of 4 November 1993, of Bruce Sterling's
`The Hacker Crackdown: Law and Disorder on the Electronic Frontier', Eric
Raymond's edition of `The New Hacker's Dictionary', and Bryan Clough and
Paul Mungo's `Approaching Zero, Data Crime and the Computer Underworld'.
(I had wondered what Clough had been doing since he retired from soccer).

Stewart refers to various incidents, such as the 15 Jan 1990 4ESS problems,
the stoned virus, the Internet worm (but when will people stop deprecating
Eric by implication?), and the Secret Service crackdown on Steve Jackson
games and `Knight Lightning'. Stewart's closing sentence: `"Approaching Zero"
shows that we have a lot to fear from the activities of those (few) hackers who
are genuinely malevolent. "The Hacker Crackdown" suggests that we have just
as much to fear from programming errors - and that American citizens have far
more to fear from their Secret Service.'

Peter Ladkin


War and Anti-War (by Alvin and Heidi Toffler)

"Jeffrey D. Young" <0004784090@mcimail.com>
Sun, 7 Nov 93 20:18 EST
>From the authors of "Future Shock" (1970), "The Third Wave" (1980), and
"Power Shift" (1990), "War and Anti-War" (1993) looks at the way we make
war and peace now and in the 21st century.

The Tofflers propose that as we move from an industrial society to an
information society, changes in the way we make wealth will be reflected
by changes in the way we make war (and hopefully peace).

Many of the concerns noted by Winn Schwartau in "Terminal Compromise" are
echoed in "War and Anti-War", as well as some new concerns with more dire
consequences.

War and Anti-War: Survival at the Dawn of the 21st Century
by Alvin and Heidi Toffler
Little, Brown and Company 1993
ISBN 0-316-85024-1


re: Car owners confused with gun owners (Hawthorne, RISKS-15.22)

Martin Minow <minow@apple.com>
Tue, 9 Nov 93 10:43:42 -0800
Brian Hawthorne's description of a problem his wife had when she received a
request to renew her firearm license because "someone loaded a tape containing
the list of car owners who needed to renew their automobile registration
instead of the list of gun owners needing to renew their carry permits"
reminded me of a made for tv movie that was shown in Sweden in the mid-1970's.

Its premise was that the government computer that processed driving licenses
was also processing hunting licenses [timesharing] and, because of "thought
transference" between the two programs, the civil status of one Holger
Swensson was changed from "married" to "elk."

Well, this was a problem, but one without a simple solution. Unfortunately,
the local social welfare department cannot help elks. The situation became
worse as time went on and hunting season quickly approached. Finally, a
sympathetic bureaucrat hit upon the best solution: he found the one place
where Holger would be safe and, in the last scene, you saw him spread his
sleeping bag out in the Stockholm Zoo.

Kafka and Ionesco would have enjoyed this.    [and made Rhinockwurst?  PGN]

Martin Minow  minow@apple.com


Software control problems in Block 40 F-16s

Dr Peter B Ladkin <pbl@compsci.stirling.ac.uk>
7 Nov 93 18:02:31 GMT (Sun)
Here is an example of a problem which has been partly attributed to software
control of fly-by-wire aircraft.  With aircraft, many factors usually
contribute to a problem or an accident. That is, many factors are usually
jointly necessary for a problem to occur, and no factor is itself sufficient.
So partial attribution is the highest grade of causal involvement that one
should normally expect.

Block-40 F-16's with the heavier wing-tip mounted AMRAAM AIM-120A's can endure
2g, 4-5Hz oscillations at the wingtips which caused problems severe enough
(e.g. instruments could not be read in the cockpit) that a 550kt speed limit
(TAS or IAS not stated) was imposed. This is to be lifted, since a fix has
been found.

`Lockheed is developing new digital flight-control software for Block 40
F-16s.  Use of the software will end restrictions which limit the aircraft to
550kt (1,000 km/h) when armed with [the AIM 120A's]. [....]'
(Flight International, 3-9 Nov,p18).

`Investigation work by the test team has revealed that oscillations of between
4-5Hz, induced by the missile at the wing tip, are exacerbated by the flight
control system, which effectively over-reacts to inputs from the aircraft's
rate gyros. The USAF is evaluating modifications to the flight-control
laws...'  (Flight International, 20-26 Oct, p21).

`The test team believes that the phenomenon can be traced to the larger size
and weight of the AIM-120A, combined with the improved, four-channel digital
flight control system, as well as structural differences of the heavier Block
40 aircraft.' (Flight International, 3-9-Nov, p18).

This latter article interviewed Lt. Col. John Armor, one of the test pilots
`working on the program'.  So, we can assume this is an `official' attribution
of cause that includes the flight control system (whether software or hardware
seems to me to matter less - it's the specification and the computational
behavior that are under question), since it came direct from a member of the
USAF.

Peter Ladkin


Investment program turns into doomsday machine (v.d. Meulen, -15.21)

Rogier Wolff <wolff@liberator.et.tudelft.nl>
Mon, 8 Nov 1993 18:14:41 +0100 (MET)
As a (very small scale) stockholder I'd like to make a few observations,
corrections and additions.

> The investment fund Groeigarant put the "Black Box" out of order. It was
> designed by Ton Jongbloed, former president of Staal Bankiers, to advise
> investors. He claimed on long term it would be twice as profitable as
> investing in public loans. However the expert system EIS (Electronic
> Investment Sector) proved to be a "doomsday machine". Only by disconnecting
> it from the mains larger damage could be averted.

The system was never wired directly into the stockmarket. There has
always been a sanity check of the programs output.

> Roughly, the principle of the program was: buy when prices go down, sell
> when prices go up.

The principle is based on the assumption that a stockmarket price is
an actual value, plus some added noise. They want to buy when <noise>
is less than zero, and they want to sell when the <noise> value is
larger than zero.

The program EIS works by calculating an estimate of the "actual value",
and based on that it will know an estimate of the <noise> .

> Therefore, EIS issued orders to sell only. It sold almost all
> the stocks Groeigarant had, and would have sold even more. The latter would
> have led to a very risky situation. Selling stocks not available can lead
> to severe losses when forced to deliver (and having to buy at even higher
> prices).

Contrary to other investment funds, Groeigarant changes rapidly between
having 90+ % of the capital in stocks to having less than 10% in stocks.

Contrary to their original aim ("Groeigarant is a fund that will invest
in stocks available at the Dutch stock exchange"), they currently also
invest at the options exchange.

> Groeigarant says it will base its future investments on fundamental and
> technical analysis of the stock market. Luckily, the consequences for the
> fund have been kept to a minimum. Severe losses have been prevented. At the
> moment the fund mainly possesses money, rather than stocks.

I have noticed that over the last two years, the "sanity check" went from
"sanity check" to "this is what we want the system to say, so that's what
we'll make it say". They have been "forcing the system to say what they
want" for about a year now.

Another interesting thing: Since a few months they allow you to buy stock at
the -*lowest*- price over a month (in hindsight :-)! Stock bought in this way
can be sold again at the -*highest*- price.  I could start this scam: I give
them $1000 every month, and sell the equivalent amount of stock each month.
This gives me a sure strategy to make money: Groeigarant stockprices go up and
down enormously.  They do make money on the transaction costs, but these are
very likely to be less than the difference between highest and lowest value
over a months time.

The "management fee" that Groeigarant pays to the executives is interesting
too: They calculate their return on investment (r.o.i) over a period of three
months, subtract the r.o.i of the public loans and pay 25% of the result to
the management.  The funny thing is that even if the long-term return on
investment is zero, the r.o.i. over a "small" period as three months can be
higher, and they will pay. However there is no "reverse" rule, that goes into
effect when the next three months the net result is negative.

I have this theory, that the decision to buy or to sell can be made on the
basis of the ratio between todays and yesterdays price. However the
transformation function is fractal, and can only be determined by inspecting
actual data. I therefore train the computer based on the stockmarket prices of
the last few years. Next, if I feed the computer the same data that it was fed
in the learning phase, it will perfectly predict when to sell, and when to buy
stock. This only happens on the dataset that it was trained with. On any other
dataset, it will more or less generate random buy and sell advices, and incurr
transaction costs.

This is more or less the effect what I have been suspecting in EIS since the
beginning. Groeigarant denies that this is the case, and even claims that they
didn't have the dataset: When they started they claimed enormous net results,
that had been obtained on the last few years, but since the introduction (At
least 3 years ago) they have exactly the same value right now as at the
introduction.
        Roger.


Re: Fire Hazard with Dell Notebook Computers (Robillard, RISKS-15.23)

Don Porges <porges@banshee.camb.inmet.com>
Tue, 9 Nov 93 18:59:46 EST
> ... Dell will send you a shipping box overnight and will arrange for
> next day delivery of your system to our repair facility.

Assuming, that is, that 1-800-847-4171 really *is* Dell, and not a
large-scale computer thief.  Risks upon risks.


Internet Security (PGN, RISKS-15.23)

William Hugh Murray <75126.1722@compuserve.com>
08 Nov 93 09:15:58 EST
>...  By induction, virtually the entire net is at risk
>sooner or later, by iterative closure [cloture?].

Beautifully and briefly argued.  I agree completely and have so argued (see
the Risks archives.)

The bad news is that we are adding new target nodes to the network at a much
faster rate than we are protecting with token-based one-time passwords.  The
situation is getting worse not better.  If I wait until the good behavior of
my neighbors reduces the risk of the net, I will wait a very long time.

The good news is that I need not wait.  I can remove my system from the target
population for pennies per user per day.  I can continue to enjoy the
connectivity and economy of the net without the risk.  I can do it
unilaterally at the network, or even the computer, application layer.

Connectivity, lowest price, security; pick any two.

William Hugh Murray, Executive Consultant, 49 Locust Avenue, Suite 104; New
Canaan, Connecticut 06840 1-0-ATT-0-700-WMURRAY; WHMurray@DOCKMASTER.NCSC.MIL


Stupid language games (Parnas, RISKS-15.22)

"Richard Schroeppel" <rcs@cs.arizona.edu>
Sun, 7 Nov 1993 17:28:11 MST
Dave Parnas writes
  Pete Mellor wrote, "Prof. Cliff Jones of Manchester characterised the
  complexity of software in terms of the number of branch points ...

Some peevish nits --

The first sentence of the Cliff Jones quote suggests that the number of
paths through a piece of software is equal to, or perhaps proportional to,
the number of branch points.  Subsequent sentences correct this impression,
but there must be a better way to state the relationship.

Nit2: The actual ratio of branch points to lines of code in my programs, and I
suspect all readers of this message, is much less than 1/5, if function calls
are excluded; and higher than 1/1, if function calls are included.

Nit3: There's an implicit assumption in the Jones statement that the number of
paths through the code is roughly exponential in the number of branch points.
This depends entirely on the code, and need not be true: If I'm comparing two
programs which generate reports, and one has 10000 lines and the other 100000
lines, it's perfectly possible that the larger program will require only ten
times as much testing.  The important questions are things like nesting depth,
interlinked flow of control, interrupt handling, etc.  Mere size is a weak
indicator.

Nit4: I can't tell without more context, but are any of Jones, Mellor, or
Parnas endorsing the position that only exhaustive testing is appropriate?

Nit5: What are we to mean by "exhaustive", anyway?  If I have a 32bit
computer, I can't even test the ADD instruction exhaustively, much less a
program.  [2^32 * 2^32 * 1 nsec = 600 years.]  Let's talk about my carburetor:

  It is worth remembering that were Gottlieb Wilhelm Daimler still alive,
  he might remind us that the composition of the gasoline (petrol) is
  important.  If we consider the number of possible different mixtures
  of hexane, heptane, and octane, and their isomers, we can't possibly
  conduct an exhaustive test.  Noone should ever imply that a carburetor
  has been exhaustively tested.

Can we please consider specific criticisms, rather than simply chanting
"Big Is Ugly"?

Rich Schroeppel   rcs@cs.arizona.edu


NETWORKING ON THE NETWORK

"Richard Schroeppel" <rcs@cs.arizona.edu>
Sun, 7 Nov 1993 17:54:39 MST
Phil Agre recently offered us advice on how to network for success.
I didn't see any response to his message, so I thought I'd offer a
different view.  I wish to go on record as stating

 "I do not choose my friends based on their potential usefulness
  to my professional advancement.  Even a little bit."

Rich Schroeppel   rcs@cs.arizona.edu


Anonymous postings

<anonymous.poster@someplace.on.earth.I.think>
Mon, 8 Nov 93 13:17:34 -0800
This is in response to the dangers of anonymous postings as stated in
RISKS-15.19.  It is an interesting topic, but the idea of using a redirector
for anonymous postings is not required.  As this message demonstrates (from
anonymous.poster@someplace.on.earth.I.think), it is very easy to send
anonymous mail from locations without a trace.  (The possibility of it being
traced is there, but not likely.)  In fact, this particular message is being
routed courtesy of the recipient's machine (PGN- please verify).  I will not
disclose this method of anonymous mailings to requesters -- it is public
information.  I wish you all the best of luck in your security issues.  And
now for who I am... --Daniel Lieber, Systems Manager, _The Vanguard_ at
Bentley College, Waltham, Mass. USA <LIEBER_DANI@ Bentley.edu>.


Properties of Anonymizing Service

"Anthony E. Siegman" <siegman@sierra.stanford.edu>
Sun, 7 Nov 93 19:54:39 PST
   I was surprised to learn recently that if one replies to a message or
newsgroup posting which has been anonymized by passing through the
anon.penet.fi service, not only is your reply transmitted through to the
original anonymous sender, but also you are assigned an anonymous code name
and the connection between this code name and your real address is stored,
presumably indefinitely, in the anonymizing service's files.  You're not asked
if you want this to happen, though you are informed it's been done.

   I have no clearly formulated objections to anonymizing services like this
-- though they clearly cause certain problems -- but I'm not sure I like this
policy. A user who deliberately sends a message or newsgroup posting through
such a service presumably agrees to its rules.  But an individual who replies
to such a message or posting may not have any idea what " anon.penet.fi"
really is -- in fact, someone replying to a newsgroup posting may not even
note what machine it came from -- and may not want to be added to their
records.

   To cite just one (perhaps far-fetched) risk, an anonymizing service might
be used by bad guys to do some bad thing, causing law enforcement people to
swoop in and seize records.  Your name could then be found in those records,
perhaps not clearly identified as a mere innocent "replier" rather than a
deliberate user, leading to possible embarrassment or maybe worse.

   The proprietor of the anon.penet.fi service has not yet replied to
my inquiries concerning this policy.     --AES


Risk-happy drivers foil anti-lock brakes

Dyane Bruce <db@diana.ocunix.on.ca>
Sun, 7 Nov 1993 11:39:44 -0500
>From the Ottawa Citizen Sunday Edition November 7, 1993
Risk-happy drivers foil anti-lock brakes
by Brad Evenson, Citizen consumer writer

     Anti-lock brakes, hailed by car companies as a leap  forward  in  auto
safety,  do  not  reduce the number of accidents, injuries or deaths on the
road, says a U.S. research group. And a recent Transport Canada  study  may
have unlocked the reason why: people like risk.
     Anti-lock brakes, standard equipment on a third of new  vehicles  sold
in  Canada,  are  designed  to help drivers keep control on slippery roads.
When a braking wheel loses traction, a sensor causes the brake  to  release
and tighten rapidly many times, maintaining a grip on the road.
     Technically, the systems perform well. But they've yield no change  in
accident statistics.
     "The number of accidents, injuries and deaths has remained constant in
models with ABS in the United States," says Brian O'Neill, head of the U.S.
Insurance Institute for Highway Safety.
     The group compared automobiles equipped with anti-lock brakes with the
same  models produced in the previous year that didn't have them. There was
no appreciable difference, says O'Neill.
     The Canadian experience  is  similar.  In  1991,  there  were  roughly
173,000  collisions involving 248,600 injuries and 3,684 deaths. Statistics
for 1992, to be released this week, are expected  to  show  a  five-percent
decline  in  accidents,  but federal officials do not attribute the drop to
anti-lock brakes.
     The RCMP is one of the country's largest auto buyers,  but  there  has
not  been  any  reduction  in  damage to its 7,000-vehicle fleet since ABS-
equipped models were introduced three years ago. About a third of its vehi-
cles now have the brake systems.
     "In test, police drivers  found  they  were  able  to  manoeuvre  more
quickly,"  said  RCMP  spokesman  Const.  Tim Cogan. "But we haven't seen a
difference in the number of accidents."
     This has baffled car  manufacturers  such  as  General  Motors,  which
advertises anti-lock brakes as a safety feature -- a crash-avoidance system
preferable to air bags.
     But a recent Canadian study offers an  answer.  At  a  test  track  in
Blainville,  Que.,  Transport  Canada  scientists  divided  80 drivers into
groups, testing their performance with anti-lock and ordinary brakes.
     "After having practised the emergency stopping manoeuvres  with  anti-
lock  brakes, drivers drove faster, had higher accelerations around a curve
and stopped harder," a summary of the study said.
     "If drivers choose to drive faster because they know they have greater
control,  and  if  they  choose to follow other vehicles more closely under
slippery road conditions, then the safety  benefit  from  anti-lock  brakes
might be reduced or lost completely."
     The theory explaining the results is called "risk homeostasis," and  it
also explains why people bungee jump or helicopter ski.
     "People like to maintain a constant level of risk," says Chris Wilson,
director-general of road safety at Transport Canada.
     "When a situation gets safer, people like to  increase  the  level  of
risk."
     Some authorities, however, scoff at the risk  homeostasis  theory.  In
the  1980s,  GM  sent a Detroit engineer to Canada to study whether drivers
who wore seat belts drove recklessly " because they wouldn't get hurt in an
accident," recalls Wilson of Transport Canada.
     The engineer took photographs of drivers along Hwy. 401 [A major high-
way  that  runs  through  Toronto  Ont.  Canada  db], checking seatbelt use
against their driving habits.
     He found no evidence of the theory; people drove the  same  with  seat
belts on.
     While the evidence of improved safety with anti-lock brakes is scanty,
the  life-saving  record  of airbags, which inflate upon collision, is more
abundant.
     "There is  clear-cut,  statistical  proof  the  airbags  improve  your
chances  (of  survival)  in  a  collision,"  says the insurance institute's
O'Neill.
     But car makers have resisted introducing airbags, complaining they are
too expensive and don't help avoid accidents.
     "An accident avoidance system (such as anti-lock brakes) is  obviously
better  than  one that doesn't prevent accidents," says Chris Douglas, pro-
duct spokesman for GM of Canada Ltd.

Dyane Bruce, 29 Vanson Ave. Nepean On, K2E 6A9, 613-225-9920
db@diana.ocunix.on.ca

Please report problems with the web pages to the maintainer

Top